Attack on Billing Vendor Results in Massive Breach

North Carolina-based Atrium Health is notifying 2.65 million individuals of a data breach involving a cyberattack on databases hosted by a third-party billing vendor, AccuDoc. If details are confirmed by federal regulators, the incident would be the largest health data breach reported so far in 2018.

In a statement issued Tuesday, Charlotte, N.C.-based Atrium Health - formerly called Carolinas HealthCare System - says certain databases containing billing information belonging to it and its managed locations may have been targeted in the attack on AccuDoc, which provides billing and other services for healthcare providers, including Atrium Health.

AccuDoc did not immediately respond to an Information Security Media Group inquiry about whether any of the vendor's other clients were impacted by the cyberattack.

Both AccuDoc and Atrium Health have been in contact with the FBI about the incident, Atrium says.

Impacted Data

Atrium says that based on an extensive forensic review of AccuDoc's systems, it appears that an unauthorized third party gained access to AccuDoc's databases between Sept. 22 and Sept. 29. AccuDoc informed Atrium Health on Oct. 1.

"The forensic investigations indicate that the information was not removed from AccuDoc's systems. In addition, Atrium Health's core systems and those of its managed locations are separate from AccuDoc's systems and were not involved in this incident," Atrium's statement says.

Atrium says information that may have been accessed includes certain personal information about patients and guarantors - those responsible for paying a patient's bill. That information may have included name, home address, date of birth, insurance policy information, medical record number, invoice number, account balance and dates of service.

An Atrium spokesman tells ISMG the impacted data also included about 700,000 Social Security numbers.

Those impacted are being offered free credit monitoring. "It is very important to understand that the data was accessed but not downloaded in this incident," the Atrium spokesman says.

"We are monitoring the situation closely. AccuDoc has enhanced their security measures, closed off the comprised path, and we have notified the patients and guarantors who may have been impacted by this incident," he says. "We take cybersecurity very seriously, and you can be sure we've worked very hard to determine exactly what happened, and how to prevent it from happening again."

Prior to the revelation of the Atrium breach, the largest breach so far posted on the Department of Health and Human Services' HIPAA Breach Reporting Tool website this year was reported in July by Iowa Health System, which operates under the name UnityPoint. That incident, which involved a phishing attack, impacted 1.4 million individuals.

Commonly called the "wall of shame", the HHS' Office for Civil Rights' website lists health data breaches impacting 500 or more individuals.

Vendor Risk Management

Some experts say the AccuDoc breach spotlights the serious potential risks for healthcare entities involving attacks on their vendors.

"This incident just underscores the magnitude of breaches where aggregators of multiple healthcare entities' data are involved," says Mac McMillan, president of security consulting firm CynergisTek. "Due diligence should be heightened for these vendors with respect to the active protections they employ around their computing environments/applications."

Security experts also note that organizations can take steps to help mitigate the risks posed by hacks of third-party vendors.

"To the extent possible, it is important to conduct some kind of risk assessment of third- party vendors at the time their products or services are being evaluated," says Keith Fricke, principle consultant at tw-Security. "It is not enough to only sign a business associate agreement."

Others Affected?

While AccuDoc, which provides technology services to more than 50 hospitals and healthcare systems, mostly in eastern U.S., has not yet commented on whether other clients were also impacted in the cyberattack, it's conceivable that other entities were also affected, Fricke notes.

"It depends on the scope of the exposure. If AccuDoc maintains its systems in a way where all its customers use the same database and has logical access controls for data, then yes, it is possible that all its customers experienced the same exposure," he says. "On the other hand, if AccuDoc maintains a separate instance of its product for each customer, it is possible that only Atrium Health's instance was exposed."

Other health data breaches this year have involved third-party vendors.

For instance, in August, Lafayette, Louisiana-based Acadiana Computer Systems, which operates ACS Medical Business Solutions, said it became aware in July that an employee's email account had been accessed by an unauthorized individual.

About the Author

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.